Western Union is one of
the easiest ways to get money and for some crooks one of the easiest
ways to steal it.

… Police say the
suspects called the store and pretended to work for Western Union and
at that point got them to perform a test.

"They call the
store ask to speak to the customer service rep that's working the
counter where Western Union is and tell them to run a test...and the
test is actually sending money instead of running a test," said
Charlotte-Mecklenburg Police Fraud Investigator Kevin Jones.

The con artists managed
to steal more than 3 thousand dollars from the store; it involved 3
separate transactions and took about 50 minutes.

… Police say it’s
the first time they have seen this kind of scam in Charlotte, they
are worried it may spread and want employees to be careful.

"Make sure you're
following store protocols if you think something is not right check
with your store manager call Western Union yourself," said Jones
who thinks the suspects may be from out of the country.

“It could be Nigeria,
it could be Canadians, it could be the U.K. it could be someone here
in the United States.”

Woody works in a mom
and pop type store he says this type of scam could be devastating.

Also
thought to involve social engineering, well phishing... Would have
required quick work after the funds had been transferred.

On
Friday, October 18, two employees reported receiving email
confirmation of a change in their direct-deposit designation. Police
say that valid credentials (MSU NetID and password) were used by a
perpetrator to modify the employees’ banking information on the EBS
HR/Payroll (SAP) system. It is believed that the perpetrator gained
access to the credentials through a sophisticated “phishing”
attack.

There
is no indication of a system-wide security breach or exposure of
other employee data. As a precaution, the EBS systems were taken
offline late Friday afternoon; it is anticipated that the systems
will be back online Monday morning at 7:00am.

In some restrictive
areas, this is going to be a real concern. Will downloading a
template become illegal (or grounds for a visit by the local gun
cops?) Can I print a 1/10th scale model of Gatling gun without
worrying about black helicopters at 3AM?

Police have seized
components for what could be the UK's first ever 3D-printed
gun in what they called a "really significant discovery".

Greater
Manchester police said they believed the parts represented the
next generation of firearms, which could be created by gangs
in the privacy of their homes and smuggled with ease because they
could avoid X-ray detection.

The gun parts were
discovered, along with a 3D printer, when officers executed warrants
in the Baguley area of the city on Thursday.

Officers found what
were thought to be a plastic magazine and trigger which could be
fitted together to make a viable gun. They said the haul also
included a quantity of gunpowder.

The raid was part of
Challenger, the largest ever multi-agency operation to target
organised crime
in Manchester.

… There have
been suggestions on some websites that the parts were not gun
components but printer parts – a spool holder and a drive block.
Police said they were still concerned about the finding because they
suspected the parts may have other uses.

A police spokesperson
said: "We are aware of this suggestion, and it would be easier
if it was cut and dried as to what these items are. But when you
take it as a whole, including the discovery of gunpowder, it is
disturbing."

A man has been
arrested on suspicion of making gunpowder [Not a 3D printer
item Bob] and remains in custody for questioning.

We
already knew that Rep. Jim Sensenbrenner was getting ready to release
a major
new anti-NSA spying bill called the USA Freedom Act, and Derek
Khanna has just revealed
many of the details of the bill, scheduled to be introduced in both
houses of Congress this coming Tuesday. It will be backed by
Sensenbrenner in the House and Pat Leahy in the Senate, and will have
plenty of co-sponsors (already about 50 have signed up) including
some who had initially voted against the Amash Amendment back
in July. In other words, this bill has a very high likelihood of
actually passing, though I imagine that the intelligence community,
and potentially the White House, will push back on it. For Congress,
gathering up a veto-proof majority may be a more difficult
task.

The
bill appears to do a number of good things, focusing on limiting the
NSA’s ability to do dragnet collections, rather than specific and
targeted data collection, while also significantly increasing
transparency of the activities of the NSA as well as the FISA court
when it comes to rulings that interpret the law.

The
UK intelligence agency GCHQ has repeatedly warned it fears a
“damaging public debate” on the scale of its activities because
it could lead to legal challenges against its mass-surveillance
programmes, classified internal documents reveal.

Memos
contained in the cache disclosed by the US whistleblower Edward
Snowden detail the agency’s long fight against making intercept
evidence admissible as evidence in criminal trials – a policy
supported by all three major political parties, but ultimately
defeated by the UK’s intelligence community.

A
new feature for LinkedIn users has been unveiled, but it’s drawing
more questions over privacy rather than praise for ingenuity.

LinkedIn
announced Intro on October 23, a service that shows your LinkedIn
profile on emails sent through your iPhone Mail application. In the
blog
post about the new tool, the company explains that users will be
able to see at a glance who an unknown email sender is with a brief
bio and link to their LinkedIn account, right in the email client.

But
security experts have expressed concern over the new feature, as it
requires all of your email to be filtered through LinkedIn’s
computers.

Yeah, this Snowden
thing is a real pain in the butt. Fortunately, everyone who never
considered how intelligence was gathered before Snowden will soon
forget Snowden and go back to their “Professional” Wrestling
shows.

A
public backlash against reported US surveillance activities in
France, Germany, and Italy could lead to tough new laws that put
American technology companies in the tough spot of being forced to
defy either US authorities or the European Union.

“In
1995, Robert Ambrogi, former columnist for Legal Technology News,
wrote about the Internet’s potential to revolutionize the
accessibility and delivery of legal information. Almost 20 years
later, Ambrogi now describes his initial optimism as a “pipe
dream.” Perhaps one of the greatest problems facing the legal
industry today is the sheer inaccessibility of legal information.
Not only does this inaccessibility prevent millions of Americans from
obtaining reliable legal information, but it also prevents many
attorneys from adequately providing legal services to their clients.
Whether locked behind government paywalls or corporate cash
registers, legal information is simply not efficiently and affordably
attainable through traditional means. There may, however, be an
answer. Although the legal industry appears to just be warming up to
social media for marketing purposes, social media platforms, like
Twitter, may have the untapped potential to help solve the
accessibility problem. This Note attempts to prove that assertion by
showing an iteration of social media’s potential alternative
use, as an effective and free information sharing mechanism for legal
professionals and the communities and clients they serve.
Generally speaking, law review editors and other academicians demand
that authors support every claim with a citation, or, at the very
least, require extensive research to support claims or theses. This
Note seeks to fulfill this requirement, with a variation on
conventional legal scholarship. Almost all of the sources in this
Note were obtained via Twitter. Thus, this somewhat experimental
piece should demonstrate social media’s potential as an emerging
and legitimate source of legal information. By perceiving and using
social media as something more than a marketing tool, lawyers, law
schools, and, most importantly, clients, may be able to tap into a
more diverse and more accessible well of information. This
redistribution of information accessibility may not only solve some
of the problems facing the legal industry, but also has the
capability to improve society at large.”

I knew we should have
moved faster, now the cable guys are horning in...

TV providers DirecTV,
Time Warner Cable, and Charter Communications are thinking about
capturing free broadcast signals and streaming TV shows over the
Internet to get around paying networks, Bloomberg
reported Friday.

Aereo has been fairly
successful in the courtroom so far. If it wins in the end, it could
mean TV providers can use the same practice to avoid paying
retransmission fees, unnamed sources told Bloomberg. One source goes
so far to say that Time Warner Cable, which
has been at odds with CBS over fees, has considered buying Aereo.

–
Automatically highlights North American telephone numbers on
websites, showing the location (city and state) when you hover over
the phone number, based on the area code and exchange. To find out
where the phone number is located, you just hover the mouse over the
phone number, and it will start a lookup of the location of the phone
number.

… Coursera makes up
a large part of the online learning universe. The numbers seem to
suggest that it is leading the pack. To add to their ranks, 13 new
institutions have signed up to bring the number of international
institutions using its platform to deliver online courses to 107.
Coursera also reached the milestone of 5 million students
enrolled and now offers them more than 500 courses to choose
from.

… To commemorate
this triple achievement, Coursera released an infographic
on its blog which gives you a bird’s eye view of the educational
offerings on the website.

Friday, October 25, 2013

Schnuck
Markets has agreed to a proposed class-action settlement stemming
from the breach of its computer systems in which an estimated 2.4
million payment cards were compromised.

The
preliminary settlement was presented to St. Louis Circuit Judge David
Dowd on Wednesday afternoon. He is expected to rule on it in the
coming weeks.

He
also is considering a motion to intervene in the case by a lawyer
pursuing one of the related federal lawsuits still pending. The
lawyer, Matt Armstrong, argued at the court hearing that the proposed
settlement may not be a good deal for consumers.

Read more on St.
Louis Post-Dispatch. This proposed settlement sounds like a
much better deal than most customers usually get in one of these
lawsuits as it includes reimbursement (at $10/hour) for up to three
hours for time spent dealing with the breach, reimbursement for bank
fees, late fees, etc., and instances of identity theft loss. Overall,
reimbursing customers $10/per customer doesn’t sound great, but it
is better than what we usually see.

A “Meta-Hack” for
my Ethical Hackers. Hack a providers system, let them install the
malware as part of their “Trusted” service.

Maintainers
of the open-source PHP programming language have locked down the
php.net website after discovering two of its servers
were hacked to host malicious code designed to surreptitiously
install malware on visitors’ computers.

With
Healthcare.gov plagued by technical difficulties, the Obama
administration is bringing in heavyweight coders and private
companies like Verizon to fix the federal health exchange, pronto.
But web security experts say the Obamacare tech team should add
another pressing cyber issue to its to-do list: eliminating a
security flaw that could make sensitive user information, including
Social Security numbers, vulnerable to hackers.

According
to several online security experts, Healthcare.gov, the portal
where consumers in 35 states are being directed to obtain affordable
health coverage, has a coding problem that could allow hackers to
deploy a technique called ”clickjacking,”
where invisible links are planted on a legitimate web page.

Paul Paray comments on
the recent ruling in California involving statutory damages under the
CMIA in the event of a breach:

Insurers
providing privacy liability coverage were collectively breathing a
sigh of relief last week given a decision from the California Court
of Appeals. Interpreting the California Medical Information Act
(CMIA), the court in Regents
of the Univ. of Cal. v. Superior Court of Los Angeles County, No.
B249148 (Cal. Ct. App. October 15, 2013) significantly
limited the ability of plaintiffs to obtain nominal statutory damages
of $1,000 per patient under CMIA. For the past several years, CMIA
was pretty much the best game in town when it came to statutory
damages involving a data breach. Although enacted in 2008, CMIA was
only over the past several years successfully used by plaintiffs’
counsel to obtain settlements previously unattainable post-breach.
The CMIA “statutory damages” bonanza reaped by class counsel was
significant – the prospect of such damages allowed
counsel to overcome Article III and other “lack of injury”
arguments, potentially allowed for class certification
even with an otherwise uneven plaintiff pool, and created an early
incentive to settle on the part of a defendant – and its insurer –
given the potential size of an award.

It
is no surprise CMIA was the bane of a good number of network security
and privacy insurers – it led to significant settlements that would
not have otherwise occurred. The Regents decision is
noteworthy given it was the first appellate court to decide the
availability of CMIA statutory damages and rejected
the notion that mere negligence coupled with disclosure could trigger
statutory damages. This is a significant departure from
how the law was interpreted by the lower courts and instantly dried
up a good part of the statutory damages manna drunk by the
plaintiffs’ bar.

EFF has filed this
amicus brief (pdf) in support of Lavabit. Here is their press
release on it:

Federal
law enforcement officers compromised the backbone of the Internet and
violated the Fourth Amendment when they demanded private encryption
keys from the email provider Lavabit, the Electronic Frontier
Foundation (EFF) argues in a brief submitted yesterday afternoon to
the US Court of Appeals for the Fourth Circuit. In the amicus brief,
EFF asks the panel to overturn a contempt-of-court finding against
Lavabit and its owner Ladar Levison for resisting a government
subpoena and search warrant that would have put the private
communications and data of Lavabit’s 400,000 customers at risk of
exposure to the government.

For
nearly two decades, secure Internet communication has relied on
HTTPS, a encryption system in which there are two keys: A public key
that anyone can use to encrypt communications to a service provider,
and a private key that only the service provide can use to decrypt
the messages.

In
July, the Department of Justice demanded Lavabit’s private
key—first with a subpoena, then with a search warrant. Although
the government was investigating a single user, having access to the
private key means the government would have the power to read all of
Lavabit’s customers’ communications. The target of the
investigation has not been named, but journalists have noted that the
requests came shortly after reports that NSA whistleblower Edward
Snowden used a Lavabit email account to communicate.

“Obtaining
a warrant for a service’s private key is no different than
obtaining a warrant to search all the houses in a city to find the
papers of one suspect,” EFF Senior Staff Attorney Jennifer Lynch
said. “This case represents an unprecedented use of subpoena
power, with the government claiming it can compel a disclosure that
would, in one fell swoop, expose the communications of every single
one of Lavabit’s users to government scrutiny.”

EFF’s
concerns reach beyond this individual case, since the integrity of
HTTPS is employed almost universally over the Internet, including in
commercial, medical and financial transactions.

“When
a private key has been discovered or disclosed to another party, all
users’ past and future communications are compromised,” EFF Staff
Technologist Dan Auerbach said. “If this was Facebook’s private
key, having it would mean unfettered access to the personal
information of 20 percent of the earth’s population. A private key
not only protects communications on a given service; it also protects
passwords, credit card information and a user’s search engine query
terms.”

Initially,
Levison resisted the government request. In response, a district
court found Lavabit in contempt of court and levied a $5,000-per-day
fine until the company complied. After Levison was forced to turn
over Lavabit’s key, the certificate authority GoDaddy revoked the
key per standard protocol, rendering the secure site effectively
unavailable to users.

Since
Lavabit’s business model is founded in protecting privacy, Levison
shut down the service when it no longer could guarantee security to
its customers.

“The
government’s request to Lavabit not only disrupts the security
model on which the Internet depends, but also violates our
Constitutional protections against unreasonable searches and
seizures,” EFF Staff Attorney Hanni Fakhoury said. “By
effectively destroying Lavabit’s legitimate business model when it
complied with the subpoena, the action was unreasonably burdensome
and violated the Fourth Amendment.”

The
deadline for the government’s response brief is Nov. 12, 2013.

I’m proud to say I’m
a member of EFF. And if you value their advocacy for privacy and
civil liberties, why don’t you, too, throw them some money to
support their work? DONATE.

“Unconcerned with the
implications” is all too common in cases involving new
technologies.

In
Murphy’s view, King is significant less for what it said
than for what it didn’t say. Presented with the major implications
of DNA analysis in the parties’ briefs and the amicus briefs, the
Court didn’t address them. Instead, Justice Kennedy issued a
majority opinion that seemed unconcerned with those
implications.

The National
Constitution Center has posted an audio file of Orin Kerr and Marc
Rotenberg discussing warrantless surveillance with Jeffrey Rosen.
More information and access to the audio file on NCC, here.

Colleen Flaherty
reports on a number of cases where a professor’s email to students
wound up going viral. The AAUP may want to protect “academic
freedom” by treating emails as protected, but free speech advocates
think it’s fair game and fair use.

How
Would The World Look Like Without PowerPoint? Projeqt Gives A Clue

You have to give a
second glance to a web application which is a 2013 Webby
Awards Honoree. Projeqt
walked the red carpet to claim not one but two nominations – Best
User Experience and Web Services and Applications. So,
it seems improper to just start this article and say it is a
PowerPoint alternative. It would be better to describe it – as the
application sees itself – as a creative storytelling tool.

Thursday, October 24, 2013

Surely,
I'm not the only one to notice this. It's one thing to use your
computer to automate trading. Being faster than the other guy is
just a form of arbitrage. (and trading computers are very fast.)
Jumping the gun is at
least conspiracy.
Imaging what it would be if this was a hack by a foreign power.

Reporting from CNBC
and Quartz
points to strong circumstantial evidence that one or more traders
received an early leak of the Federal Reserve's surprise decision
last week not to slow down its bond purchases.

Markets swung rapidly
on the 2 p.m. announcement last Wednesday, with stocks, bonds, and
the price of gold all skyrocketing. Somebody placed massive orders
for gold futures contracts betting on exactly that outcome within a
millisecond or two of 2 p.m. that day -- before the seven
milliseconds had passed that would allow the transmission of the
information from the Fed's "lock-up" of media organizations
who get an early look at the data and the arrival of that information
at Chicago's futures markets (that's the time it takes the data to
travel at the speed of light. A millisecond is a thousandth of a
second). CNBC's Eamon Javers, citing market analysis firm Nanex,
estimates that $600 million in assets could have changed hands in
that fleeting moment.

There would seem to be
three possibilities: 1) Some trader was extraordinarily lucky,
placing a massive bet just before a major announcement that would
make that bet highly profitable. 2) There was a leak, either by a
media organization with early access to the data or even someone at
the Fed. Or 3) The laws of physics have been violated as the
information traveled from Washington to Chicago faster than the speed
of light.

Aaron’s,
Inc., a national, Atlanta-based rent-to-own retailer, has agreed to
settle FTC charges that it knowingly played a direct and vital role
in its franchisees’ installation and use of software on rental
computers that secretly monitored consumers including
by taking webcam pictures of them in their homes.

According
to the FTC’s complaint,
Aaron’s franchisees used the software, which surreptitiously
tracked consumers’ locations, captured images through the
computers’ webcams – including those of adults engaged in
intimate activities – and activated keyloggers that captured users’
login credentials for email accounts and financial and social media
sites.

[…]

The
software was the
subject of related FTC actions earlier this year against the
software manufacturer and several rent-to-own stores, including
Aaron’s franchisees, that used it. It included a feature called
Detective Mode, which, in addition to monitoring keystrokes,
capturing screenshots, and activating the computer’s webcam, also
presented deceptive “software registration” screens designed to
get computer users to provide personal information.

[...]

Additional files on the
complaint and consent order can be found on the FTC’s
web site. And unless I’m missing something, the consent
agreement does not require Aaron’s or its franchisees to actually
notify customers that their personal data was acquired via the webcam
activation.

So how will this
consent order impact a potential class action lawsuit filed by
Crystal and Brian Byrd against Aaron’s in 2011? Previous coverage
of the lawsuit on this blog is linked from here.
The lawsuit is ongoing and Aaron’s has moved for dismissal of the
third amended complaint. Take a look at the docket
for the lawsuit.

President Barack Obama
knew there would be "glitches" and said ahead of time there
would be problems in the October 1 rollout of a key part of his
health care initiative, but "there is no question that we did
not anticipate the scale of problems with the website," White
House spokesman Jay Carney said on Wednesday.

… Before
it even launched, red flags went up about the Obamacare website.
Health insurance companies complained about it, and the site crashed
during a test run. But nobody told the President
of any of it, the nation's health chief told CNN.

A
federal court has issued
an opinion in EPIC
v. NSA, EPIC’s
Freedom of Information Act lawsuit concerning the government’s
policy for the security of American computer networks. As a result
of the lawsuit, EPIC obtained
documents that the National Security Agency had withheld from the
public. The documents
concern NSPD 54, a presidential policy directive outlining the scope
of the NSA’s authority over computer networks in the US. EPIC also
challenged the NSA’s decision to withheld several other records
including the National Security Presidential Directive 54. A federal
district court has now ruled that NSPD 54 is not subject to the FOIA
because it was not under “the control” of the National Security
Agency and the other federal agencies and officials who received the
presidential directive. The Court also ordered to the NSA to
identify and release other documents to EPIC. For more information,
see: EPIC
v. NSA – Cybersecurity Authority.

Of
course they are. It is much more important to avoid any kind of
terrorist incident that to protect your privacy.

The TSA is now searching your
personal records before you get to the airport

… The TSA already
checks travelers against a terrorist watch list, but the
The New York Times
reports that the agency will now begin
profiling travelers based on their past travel itineraries, property
records, car registrations and employment information. The result is
a full background check, directing some towards lighter screenings
and others towards more invasive bag checks and pat-downs.

The TSA's stated goal
is to qualify one in four passengers for lighter screening, which
would forgo the typical shoe removal and lighten the agency's
workload, but privacy advocates worried the result

Think
you can keep a medical condition secret from life insurers by paying
cash for prescription meds? Think again.

A
for-profit service called ScriptCheck exists to rat you out
regardless of how diligent you are in trying to keep a sensitive
matter under wraps.

ScriptCheck,
offered by ExamOne, a subsidiary of Quest Diagnostics, is yet another
example of data mining — using sophisticated programs to scour
databases in search of people’s personal information and then
selling that info to interested parties.

The aim of NIST's
framework (PDF)
is to create guidelines that companies can use to beef up their
networks and guard against hackers and cybersecurity threats.
Adopting this framework would be voluntary for companies.

– Do people turn to
piracy when the movies they want to watch are not available legally?
That is the question posed by PiracyData which lists the top 10 most
pirated movies of the week, and then researches into whether those
movies are available for legal rental, purchase, or streaming. Most
movies on the list are currently not available legally which may
explain why people turn to illegal methods.

Attention
Ethical Hackers! Henceforth you shall be called “Fluffy Kitten
Watchers” because apparently you can judge a book by its cover.

The
US District Court for the State of Idaho ruled that an ICS product
developer’s computer could be seized without him being notified or
even heard from in court primarily because he states on his web site
“we like hacking things and don’t want to stop”.

News and media
organizations have been using Google for a long time. Google has
taken things a bit further by giving journalists a rich set of tools
in one centralized hub called Google
Media Tools. Google Media Tools is a collection of all Google
resources that can help journalists enhance their reporting. Common
tools like Google Drive, Google Maps, and Google Search Trends along
with many others find a place in the suite. The idea is not to be
just a diving-board platform for the Google tools journalists need
and use most often. Rather, Google wants this one-stop shop to be a
learning center as well so that journalists of all hues and skill
levels can create compelling stories with all the tools Google has to
offer.

Google Media Tools is
designed to cover everything from research to
developing to publishing,

Wednesday, October 23, 2013

Happy to report a great
win for the ACLU in U.S. v. Katzin. From the decision
issued today by the Third Circuit Court of Appeals:

The
instant case … calls upon us to decide two novel issues of Fourth
Amendment law: First, we are asked to decide whether the police are
required to obtain a warrant prior to attaching a GPS device to an
individual’s vehicle for purposes of monitoring the vehicle’s
movements (conduct a “GPS search”). If so, we are then asked to
consider whether the unconstitutionality of a warrantless GPS search
may be excused for purposes of the exclusionary rule, where the
police acted before the Supreme Court of the United States proclaimed
that attaching a GPS device to a vehicle constituted a “search”
under the Fourth Amendment. For the reasons discussed below, we hold
that the police must obtain a warrant prior to a GPS search and that
the conduct in this case cannot be excused on the
basis of good faith. Furthermore, we hold that all three
brothers had standing to suppress the evidence recovered from Harry
Katzin’s van. We therefore will affirm the District Court’s
decision to suppress all fruits of the unconstitutional GPS search.

A
friend recently brought to my attention a disturbing question from a
psychiatrist working with a transplant team: Should she be checking
the sobriety claims of liver transplant candidates by looking on
their Twitter and other social media sites? That question merits
discussion because it’s clear both doctors and patients are
entering a new world of uncertain medical privacy due to Twitter,
Facebook, Google+ and other outlets.

A
mother sued Twitter for the identities of people who impersonated her
daughter on the social media site, tweeting in her name “my passion
is being fat,” “free hand and blowjobs call me,” and posting
her phone number and picture online.

The
mother sued Twitter on behalf of her minor daughter, in Cook County
Court.

She
seeks a court order compelling Twitter to release the identities of
people who set up two Twitter accounts.

Medical
records start-up Practice
Fusion has attracted a whopping $134 million in venture capital
thanks to its appealing business model: it offers 100,000 (and
counting) medical types free, web-based patient management services.
The doctors get for free something that’s usually
quite expensive, while cashing in on $150 million (so far) in
government incentives to adopt electronic health record
technology. Practice Fusion gets an attractive platform of doctors
that medical labs, hospitals and medical billers pay to access. “Our
community drives $100 billion in spend,” says CEO Ryan Howard. The
start-up also gets data on 75 million patients’ health conditions
and prescriptions, which it de-identifies and then makes
available to analysts, pharma companies, and market research types,
who also pay. You can see why a VC firm like Kleiner Perkins put $70
million into the start-up this September, valuing it at $700
million. It’s like Facebook but with tons of
valuable medical data.

But
the start-up could have a big privacy problem thanks to a doctor
review site it launched in April. ‘Patient
Fusion’ debuted with 30,000 doctor profiles and a stunning two
million reviews, all from verified patients of the doctors. The site
came as a surprise to some doctors – who knew the start-up
emailed their patients appointment and prescription reminders but
didn’t realize it had been reaching out to their patients after
visits asking for reviews. And it is likely a surprise to
some of the patients whose reviews are available publicly on the
site. There are candid reviews with sensitive medical data and
“anonymous reviews” that contain patients’ full names and/or
contact details, suggesting they didn’t realize that what they were
writing was going to be made public.

This sounds like a
HIPAA/CMIA/FTC nightmare brewing. Practice Fusion has a lengthy
privacy policy that says, in part:

Confidentiality
of Health Information: Some of our users – such as
healthcare providers – are subject to laws and regulations
governing the use and disclosure of health information they create or
receive. Included among them is the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”), the Health Information
Technology for Economic and Clinical Health of 2009 (“HITECH”),
and the regulations adopted thereunder. When we store, process or
transmit “individually identifiable health information” (as such
term is defined by HIPAA) on behalf of a health care provider who has
entered a Healthcare Provider User Agreement, we do so as its
“business associate” (as also defined by HIPAA). Under this
agreement, we are prohibited from, among other things, using
individually identifiable health information in a manner that the
provider itself may not. We are also required to, among other things,
apply reasonable and appropriate measures to safeguard the
confidentiality, integrity and availability of individually
identifiable health information we store and process on behalf of
such providers. To see our Healthcare Provider User Agreement, and to
specifically review our business associate obligations, please review
Sections 4.1.8 and 9 of that agreement. We are also subject to laws
and regulations governing the use and information of certain personal
and health information, including HIPAA, when we operate as a
business associate of a healthcare provider.

If patients weren’t
properly informed about the public nature of their feedback and
didn’t provide informed consent, I’d say that Practice Fusion has
a whopping HIPAA privacy disclosure breach on its hands. Hopefully,
HHS is looking into this whole thing. And if healthcare providers
didn’t fully understand how Practice Fusion would be using the
information provide, then that’s a second round of
complaints/matter to be investigated.

Bad laws never die,
they do morph and change names and attract lots of lobbying money.

“I
am working with Senator Saxby Chambliss (R-Ga.) on bipartisan
legislation to facilitate the sharing of cyber related information
among companies and with the government and to
provide protection from liability,” Sen. Dianne
Feinstein (D-Calif.) told Mother Jones in a statement.

Haven’t the big tech
companies and providers taken enough of a reputation hit already with
the Snowden leaks? Do they really want to come out and support more
data sharing without user consent or knowledge?

That a bill could be a
Good Thing for cybersecurity has never been disputed by the privacy
security. The problems were the lack of meaningful restrictions on
use of personally identifiable information. Until we see the
language of what Senator Feinstein is proposing, we simply won’t
know whether the same privacy concerns will continue or if our
concerns will be appropriately addressed. Given that it’s
Feinstein who’s the sponsor, however, I am not optimistic.

Interesting
that parents (who are not “digital natives”) understand the
negative implications of technology when “educators” (and their
lawyers?) do not.

Angry
parents worried about their children’s privacy are fighting New
York State’s planned turnover of 2.3 million public school
students’ names and records to a private, high-tech corporation
that will store and manage the records within a computerized “cloud”
service.

The
release of data to inBloom Inc., a nonprofit based in Atlanta, will
include information on about 400,000 students on Long Island and is
set to occur this fall or winter, officials said.

Read more on Newsday
(sub. req.). The state, of course, is
minimizing/denying parental concerns:

State
education officials, who have worked with inBloom since 2011 to
establish the “cloud” project, said parents’ fears were
unwarranted.

InBloom
will never release student information without permission from local
districts, state and corporate officials said, and the data cannot be
sold. The service will provide a high degree of data security
through sophisticated encryption, they said.

Notice that there is no
provision for parents to opt-out – or better yet, opt-in – as it
is up to others to determine whether data will be shared.

And those in the state
who are relying on assurances of data security should spend a week or
so reading my blogs, including databreaches.net, to see how many
supposedly secure databases get hacked or compromised on a daily
basis.

“Many eyes, shallow
bugs.” Perhaps the HealthCare.govgang that couldn’t code straight had never heard this
software mantra. One can’t be sure. The Centers for Medicare and
Medicaid Services, the agency overseeing the technically
troubled Affordable Care Act exchanges, has done a far better
job concealing the details of its systems design, development, and
deployment practices than producing working websites. IT experts
uncharitably observe that what the President describes as “glitches”
are symptomatic of deeper digital dysfunctions. Are they right?

A White House national
security official was fired last week after being caught as the
mystery Tweeter who has been tormenting the foreign policy community
with insulting comments and revealing internal Obama administration
information for over two years.

Classic
Reader Classic
Reader is a website dedicated to the classics. This site is a gold
mine for lovers of classic literature as well as school students who
want to read without having to purchase their own copies.

Tuesday, October 22, 2013

… The plot, which
began in 2011, reportedly involved a mix of international drug gangs
and digital henchmen: drug traffickers recruited hackers to penetrate
computers that tracked and controlled the movement and location of
shipping containers arriving at Antwerp's port. The simple software
and hardware hacks—using USB keyloggers and more sophisticated
purpose-built devices—allowed traffickers to send in drivers and
gunmen to steal particular containers before the legitimate owner
arrived.

“When a distinguished but elderly scientist states that something
is possible, he is almost certainly right. When he states that
something is impossible, he is very probably wrong.” Arthur C.
Clarke

When someone from
Marketing explains technology, they are flat out lying.

A close look at Apple’s
iMessage system shows the company could easily intercept
communications on the service despite its assurances to the contrary,
researchers claimed Thursday at a security conference.

Apple asserted
in June, following disclosures about the NSA’s data collection
programs, that iMessage, which lets users send texts over Wi-Fi for
free, is protected by end-to-end encryption that makes it impossible
for Apple or anyone else to descramble the messages.

But researchers at the
Hack in the Box conference in Kuala Lumpur showed it would be
possible for someone inside Apple, of their own volition or because
they were forced to by a government, to intercept messages.

I think I've pointed to
this report before, but I don't store that data for 75 years...

“After the attacks of
September 11, 2001, the government’s authority to collect, keep,
and share information about Americans with little or no basis to
suspect wrongdoing dramatically expanded. While the risks and
benefits of this approach are the subject of intense debate, one
thing is certain: it results in the accumulation of large amounts of
innocuous information about law-abiding citizens. But what happens
to this data? In the search to find the needle, what happens to the
rest of the haystack? For the first time in one report, the Brennan
Center takes a comprehensive look at the multiple ways U.S.
intelligence agencies collect, share, and store data on average
Americans. The report, which surveys across five intelligence
agencies, finds that non-terrorism related data can be kept for up to
75 years or more, clogging national security databases and creating
opportunities for abuse, and recommends multiple reforms that seek to
tighten control over the government’s handling of Americans’
information.”

Many scholars, from
decision scientists to organizational theorists, have addressed this
question from different perspectives, and the answer, as for most
complex questions, is “it depends.” Big Data can lead to Big
Mistakes. After all, the financial sector has been flooded with big
data for decades.

A large body of
research shows that decision-makers selectively use data for
self-enhancement or to confirm their beliefs or simply to pursue
personal goals not necessarily congruent with organizational ones.
Not surprisingly, any interpretation of the data becomes as much an
evaluation of oneself as much as of the data.

Similar
to the way government builds roads. A study determines that volume
on a given highway will be unacceptable by 2015, so they propose a
two year project to add two lanes each way to the highway. Then they
debate, delay and deny budget for four years, and the project
actually takes three years to complete.

“The statutory
framework for the communications sector largely was enacted prior to
the commercial development and deployment of digital technology,
Internet Protocol (IP), broadband networks, and online voice, data,
and video services. These new technologies have driven changes in
market structure throughout the communications sector. Technological
spillovers have allowed for the convergence of previously
service-specific networks, creating new competitive entry
opportunities. But they also have created certain incentives for
market consolidation. Firms also have used new technologies to
attempt to “invent around” statutory obligations or prohibitions,
such as retransmission consent and copyright requirements. In
addition, firms have developed new technologies that are attractive
to consumers because they allow them to avoid paying for programming
or allow them to skip the commercials that accompany video
programming, but present a challenge to the traditional business
model. The expert agencies charged with implementing the relevant
statutes—the Federal Communications Commission (FCC) and the
Copyright Office—have had to determine if and how
to apply the law to technologies and circumstances that were not
considered when the statutes were developed. Frequently,
this has led parties unhappy with those interpretations to file court
suits, which has delayed rule implementation and increased market
uncertainty. The courts, too, have had to reach decisions with
limited guidance from the statutes.”

“We didn't have the
time to do it right, but we'll take the time to do it over.”

–
hosts videos to keep your creative and technical skills current.
There’s no need to schedule a class or sit behind a desk:
Skillfeed is there for you whenever you need it, on any device you’d
like. For less than you’d spend on a single book, get access to
hundreds of skills and tutorials.

Free
Online Courses You Can Study From Anywhere With iversity [Stuff to
Watch]

This week we brought
you the news that iversity
launched with 24 available courses, so now it’s time to bring
you a video prospectus of some of the service’s most interesting
courses on offer.

Just like Coursera,
iversity is a completely free learning experience that delivers the
educational
goods via video lectures, discussion and assignments; all of
which are planned and delivered by lecturers at some of the world’s
top universities.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.